diff --git a/README.md b/README.md index 78a3c10..b0149b6 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # auth-proxy -A lightweight Go auth proxyway that sits in front of sensitive services (phpMyAdmin, Gitea, +A lightweight Go auth proxy that sits in front of sensitive services (phpMyAdmin, Gitea, uptime kuma) and provides: - IP-based whitelisting (permanent and temporary via REST API with TTL, stored in SQLite) diff --git a/docs/design.md b/docs/design.md index 70bb55d..343d2c9 100644 --- a/docs/design.md +++ b/docs/design.md @@ -94,16 +94,20 @@ For a handful of IPs (dozens at most), SQLite is: - Fast (single-file, no network). - No external dependencies. -## Why in-memory temporary whitelist? +## Why not in-memory temporary whitelist? -For a handful of IPs (dozens at most), an in-memory map is: +We originally considered an in-memory map but switched to SQLite because: -- Simple to implement. -- Fast (O(1) lookup). +- Persistence across restarts. +- ACID transactions. +- Simple WAL mode for concurrent reads. + +For a handful of IPs (dozens at most), SQLite is: + +- Simple to deploy. +- Fast (single-file, no network). - No external dependencies. -If you need persistence across restarts, add a disk-backed store later. - ## Why a background cleanup goroutine? The cleanup goroutine removes expired temporary entries and rotates the audit log. @@ -118,4 +122,3 @@ may not be available (no host filesystem access). ## Why not use Redis? For our use case, Redis is overkill. -We chose an in-memory map + periodic cleanup. diff --git a/docs/security.md b/docs/security.md index 56a5fac..48d8703 100644 --- a/docs/security.md +++ b/docs/security.md @@ -48,7 +48,7 @@ Each entry records: Retrieve logs via the `/api/logs` endpoint. -The audit log is automatically rotated to maintain a maximum of 100,000 entries. +The audit log is automatically rotated to maintain a maximum of 200,000 entries. ## IP validation